Malicious virus shuttered power plant – introduced by employee

Duh!

A computer virus attacked a turbine control system at a U.S. power company last fall when a technician unknowingly inserted an infected USB computer drive into the network, keeping a plant off line for three weeks, according to a report posted on a U.S. government website.

The Department of Homeland Security report did not identify the plant but said criminal software, which is used to conduct financial crimes such as identity theft, was behind the incident.

It was introduced by an employee of a third-party contractor that does business with the utility…

In addition to not identifying the plants, a DHS spokesman declined to say where they are located.

Justin W. Clarke, a security researcher…noted that experts believe Stuxnet was delivered to its target in Iran via a USB drive. Attackers use that technique to place malicious software on computer systems that are “air gapped,” or cut off from the public Internet.

“This is yet another stark reminder that even if a true ‘air gap’ is in place on a control network, there are still ways that malicious targeted or unintentional random infection can occur,” he said.

Yes, you can rely on human beings to do something dumb!

Many critical infrastructure control systems run on Windows XP and Windows 2000, operating systems that were designed more than a decade ago. They have “auto run” features enabled by default, which makes them an easy target for infection because malicious software loads as soon as a USB is plugged into the system unless operators change that setting, Clarke said…

A DHS spokesman could not immediately be reached to comment on the report.

The largest single category of so-called hacking attacks – which had nothing to do with hacking, of course – was spearphishing emails sent to specific employees of public utilities. The emails including a suggestion to “click here” for more information. They did.